
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
  <head>
    <meta http-equiv="X-UA-Compatible" content="IE=Edge" />
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Django 1.8.4 release notes &#8212; Django 2.2.12.dev20200304094918 documentation</title>
    <link rel="stylesheet" href="../_static/default.css" type="text/css" />
    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
    <script type="text/javascript" id="documentation_options" data-url_root="../" src="../_static/documentation_options.js"></script>
    <script type="text/javascript" src="../_static/jquery.js"></script>
    <script type="text/javascript" src="../_static/underscore.js"></script>
    <script type="text/javascript" src="../_static/doctools.js"></script>
    <script type="text/javascript" src="../_static/language_data.js"></script>
    <link rel="index" title="Index" href="../genindex.html" />
    <link rel="search" title="Search" href="../search.html" />
    <link rel="next" title="Django 1.8.3 release notes" href="1.8.3.html" />
    <link rel="prev" title="Django 1.8.5 release notes" href="1.8.5.html" />



 
<script type="text/javascript" src="../templatebuiltins.js"></script>
<script type="text/javascript">
(function($) {
    if (!django_template_builtins) {
       // templatebuiltins.js missing, do nothing.
       return;
    }
    $(document).ready(function() {
        // Hyperlink Django template tags and filters
        var base = "../ref/templates/builtins.html";
        if (base == "#") {
            // Special case for builtins.html itself
            base = "";
        }
        // Tags are keywords, class '.k'
        $("div.highlight\\-html\\+django span.k").each(function(i, elem) {
             var tagname = $(elem).text();
             if ($.inArray(tagname, django_template_builtins.ttags) != -1) {
                 var fragment = tagname.replace(/_/, '-');
                 $(elem).html("<a href='" + base + "#" + fragment + "'>" + tagname + "</a>");
             }
        });
        // Filters are functions, class '.nf'
        $("div.highlight\\-html\\+django span.nf").each(function(i, elem) {
             var filtername = $(elem).text();
             if ($.inArray(filtername, django_template_builtins.tfilters) != -1) {
                 var fragment = filtername.replace(/_/, '-');
                 $(elem).html("<a href='" + base + "#" + fragment + "'>" + filtername + "</a>");
             }
        });
    });
})(jQuery);</script>

  </head><body>

    <div class="document">
  <div id="custom-doc" class="yui-t6">
    <div id="hd">
      <h1><a href="../index.html">Django 2.2.12.dev20200304094918 documentation</a></h1>
      <div id="global-nav">
        <a title="Home page" href="../index.html">Home</a>  |
        <a title="Table of contents" href="../contents.html">Table of contents</a>  |
        <a title="Global index" href="../genindex.html">Index</a>  |
        <a title="Module index" href="../py-modindex.html">Modules</a>
      </div>
      <div class="nav">
    &laquo; <a href="1.8.5.html" title="Django 1.8.5 release notes">previous</a>
     |
    <a href="index.html" title="Release notes" accesskey="U">up</a>
   |
    <a href="1.8.3.html" title="Django 1.8.3 release notes">next</a> &raquo;</div>
    </div>

    <div id="bd">
      <div id="yui-main">
        <div class="yui-b">
          <div class="yui-g" id="releases-1.8.4">
            
  <div class="section" id="s-django-1-8-4-release-notes">
<span id="django-1-8-4-release-notes"></span><h1>Django 1.8.4 release notes<a class="headerlink" href="#django-1-8-4-release-notes" title="Permalink to this headline">¶</a></h1>
<p><em>August 18, 2015</em></p>
<p>Django 1.8.4 fixes a security issue and several bugs in 1.8.3.</p>
<div class="section" id="s-denial-of-service-possibility-in-logout-view-by-filling-session-store">
<span id="denial-of-service-possibility-in-logout-view-by-filling-session-store"></span><h2>Denial-of-service possibility in <code class="docutils literal notranslate"><span class="pre">logout()</span></code> view by filling session store<a class="headerlink" href="#denial-of-service-possibility-in-logout-view-by-filling-session-store" title="Permalink to this headline">¶</a></h2>
<p>Previously, a session could be created when anonymously accessing the
<code class="docutils literal notranslate"><span class="pre">django.contrib.auth.views.logout()</span></code> view (provided it wasn’t decorated
with <a class="reference internal" href="../topics/auth/default.html#django.contrib.auth.decorators.login_required" title="django.contrib.auth.decorators.login_required"><code class="xref py py-func docutils literal notranslate"><span class="pre">login_required()</span></code></a> as done in the
admin). This could allow an attacker to easily create many new session records
by sending repeated requests, potentially filling up the session store or
causing other users’ session records to be evicted.</p>
<p>The <a class="reference internal" href="../ref/middleware.html#django.contrib.sessions.middleware.SessionMiddleware" title="django.contrib.sessions.middleware.SessionMiddleware"><code class="xref py py-class docutils literal notranslate"><span class="pre">SessionMiddleware</span></code></a> has been
modified to no longer create empty session records, including when
<a class="reference internal" href="../ref/settings.html#std:setting-SESSION_SAVE_EVERY_REQUEST"><code class="xref std std-setting docutils literal notranslate"><span class="pre">SESSION_SAVE_EVERY_REQUEST</span></code></a> is active.</p>
</div>
<div class="section" id="s-bugfixes">
<span id="bugfixes"></span><h2>Bugfixes<a class="headerlink" href="#bugfixes" title="Permalink to this headline">¶</a></h2>
<ul class="simple">
<li>Added the ability to serialize values from the newly added
<a class="reference internal" href="../ref/models/fields.html#django.db.models.UUIDField" title="django.db.models.UUIDField"><code class="xref py py-class docutils literal notranslate"><span class="pre">UUIDField</span></code></a> (<a class="reference external" href="https://code.djangoproject.com/ticket/25019">#25019</a>).</li>
<li>Added a system check warning if the old <code class="docutils literal notranslate"><span class="pre">TEMPLATE_*</span></code> settings are defined
in addition to the new <code class="docutils literal notranslate"><span class="pre">TEMPLATES</span></code> setting.</li>
<li>Fixed <code class="docutils literal notranslate"><span class="pre">QuerySet.raw()</span></code> so <code class="docutils literal notranslate"><span class="pre">InvalidQuery</span></code> is not raised when using the
<code class="docutils literal notranslate"><span class="pre">db_column</span></code> name of a <code class="docutils literal notranslate"><span class="pre">ForeignKey</span></code> field with <code class="docutils literal notranslate"><span class="pre">primary_key=True</span></code>
(<a class="reference external" href="https://code.djangoproject.com/ticket/12768">#12768</a>).</li>
<li>Prevented an exception in <code class="docutils literal notranslate"><span class="pre">TestCase.setUpTestData()</span></code> from leaking the
transaction (<a class="reference external" href="https://code.djangoproject.com/ticket/25176">#25176</a>).</li>
<li>Fixed <code class="docutils literal notranslate"><span class="pre">has_changed()</span></code> method in <code class="docutils literal notranslate"><span class="pre">contrib.postgres.forms.HStoreField</span></code>
(<a class="reference external" href="https://code.djangoproject.com/ticket/25215">#25215</a>, <a class="reference external" href="https://code.djangoproject.com/ticket/25233">#25233</a>).</li>
<li>Fixed the recording of squashed migrations when running the <code class="docutils literal notranslate"><span class="pre">migrate</span></code>
command (<a class="reference external" href="https://code.djangoproject.com/ticket/25231">#25231</a>).</li>
<li>Moved the <a class="reference internal" href="1.8.html#unsaved-model-instance-check-18"><span class="std std-ref">unsaved model instance assignment data loss check</span></a> to <code class="docutils literal notranslate"><span class="pre">Model.save()</span></code> to allow easier usage
of in-memory models (<a class="reference external" href="https://code.djangoproject.com/ticket/25160">#25160</a>).</li>
<li>Prevented <code class="docutils literal notranslate"><span class="pre">varchar_patterns_ops</span></code> and <code class="docutils literal notranslate"><span class="pre">text_patterns_ops</span></code> indexes for
<code class="docutils literal notranslate"><span class="pre">ArrayField</span></code> (<a class="reference external" href="https://code.djangoproject.com/ticket/25180">#25180</a>).</li>
</ul>
</div>
</div>


          </div>
        </div>
      </div>
      
        
          <div class="yui-b" id="sidebar">
            
      <div class="sphinxsidebar" role="navigation" aria-label="main navigation">
        <div class="sphinxsidebarwrapper">
  <h3><a href="../contents.html">Table of Contents</a></h3>
  <ul>
<li><a class="reference internal" href="#">Django 1.8.4 release notes</a><ul>
<li><a class="reference internal" href="#denial-of-service-possibility-in-logout-view-by-filling-session-store">Denial-of-service possibility in <code class="docutils literal notranslate"><span class="pre">logout()</span></code> view by filling session store</a></li>
<li><a class="reference internal" href="#bugfixes">Bugfixes</a></li>
</ul>
</li>
</ul>

  <h4>Previous topic</h4>
  <p class="topless"><a href="1.8.5.html"
                        title="previous chapter">Django 1.8.5 release notes</a></p>
  <h4>Next topic</h4>
  <p class="topless"><a href="1.8.3.html"
                        title="next chapter">Django 1.8.3 release notes</a></p>
  <div role="note" aria-label="source link">
    <h3>This Page</h3>
    <ul class="this-page-menu">
      <li><a href="../_sources/releases/1.8.4.txt"
            rel="nofollow">Show Source</a></li>
    </ul>
   </div>
<div id="searchbox" style="display: none" role="search">
  <h3>Quick search</h3>
    <div class="searchformwrapper">
    <form class="search" action="../search.html" method="get">
      <input type="text" name="q" />
      <input type="submit" value="Go" />
      <input type="hidden" name="check_keywords" value="yes" />
      <input type="hidden" name="area" value="default" />
    </form>
    </div>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
        </div>
      </div>
              <h3>Last update:</h3>
              <p class="topless">Mar 04, 2020</p>
          </div>
        
      
    </div>

    <div id="ft">
      <div class="nav">
    &laquo; <a href="1.8.5.html" title="Django 1.8.5 release notes">previous</a>
     |
    <a href="index.html" title="Release notes" accesskey="U">up</a>
   |
    <a href="1.8.3.html" title="Django 1.8.3 release notes">next</a> &raquo;</div>
    </div>
  </div>

      <div class="clearer"></div>
    </div>
  </body>
</html>